[
https://issues.apache.org/jira/browse/SPARK-54715?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andreas Thum updated SPARK-54715:
---------------------------------
Description:
Our security scanner finds the following critical vulnerabilities in our spark
container image.
Is it possible for you to upgrade the dependencies to the fixed versions?
Thank you!
*Spark 4.0.1*
||Vulnerability||Severity||CVSS3||Package||Current Version||Fixed in version||
|[CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561]|Critical|NVD:
9.8|org.apache.avro_avro|1.9.2|1.11.4|
|[CVE-2025-12383|https://nvd.nist.gov/vuln/detail/CVE-2025-12383]|Critical|NVD:
9.4|org.glassfish.jersey.core_jersey-client|3.0.16| 4.0.0-m2, 3.1.10,
3.0.17,...|
I've seen that there is already a PR to fix
[CVE-2025-12383|https://github.com/advisories/GHSA-7p63-w6x9-6gr7]:
[#53404|https://github.com/apache/spark/pull/53404] SPARK-54649[BUILD][3.5]
Upgrade Jersey to 2.47
*Spark 3.5.7*
||Vulnerability||Severity||CVSS3||Package||Current Version||Fixed in version||
|[CVE-2023-44981|https://nvd.nist.gov/vuln/detail/CVE-2023-44981]|Critical|N/A|org.apache.zookeeper_zookeeper|3.6.3|3.9.1,
3.8.3, 3.7.2|
|[CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561]|Critical|NVD:
9.8|org.apache.avro_avro|1.7.7|1.11.4|
A fix for [CVE-2023-44981|https://nvd.nist.gov/vuln/detail/CVE-2023-44981] was
already requested in SPARK-45956 and a backport to Spark 3.X was rejected
([https://github.com/apache/spark/pull/43844#issuecomment-3468731350]). I
guess, the situation has not changed here?
Regarding [CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561], I'm
a bit confused whether it's a false positive or not. As far as I can see, Spark
3.5.7 already uses Apache Avro 1.11.4 and Spark 4.0.1 uses Avro 1.12.0. Could
you please confirm that you do not use an older Avro version in some
circumstances? Thanks a lot!
was:
Our security scanner finds the following critical vulnerabilities in our spark
container image.
Is it possible for you to upgrade the dependencies to the fixed versions?
Thank you!
*Spark 4.0.1*
||Vulnerability||Severity||CVSS3||Package||Current Version||Fixed in version||
|[CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561]|Critical|NVD:
9.8|org.apache.avro_avro|1.9.2|1.11.4|
|[CVE-2025-12383|https://nvd.nist.gov/vuln/detail/CVE-2025-12383]|Critical|NVD:
9.4|org.glassfish.jersey.core_jersey-client|3.0.16| 4.0.0-m2, 3.1.10,
3.0.17,...|
I've seen that there is already a PR to fix
[CVE-2025-12383|https://github.com/advisories/GHSA-7p63-w6x9-6gr7]:
[#53404|https://github.com/apache/spark/pull/53404] SPARK-54649[BUILD][3.5]
Upgrade Jersey to 2.47
*Spark 3.5.7*
||Vulnerability||Severity||CVSS3||Package||Current Version||Fixed in version||
|[CVE-2023-44981|https://nvd.nist.gov/vuln/detail/CVE-2023-44981]|Critical|N/A|org.apache.zookeeper_zookeeper|3.6.3|3.9.1,
3.8.3, 3.7.2|
|[CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561]|Critical|NVD:
9.8|org.apache.avro_avro|1.7.7|1.11.4|
A fix for [CVE-2023-44981|https://nvd.nist.gov/vuln/detail/CVE-2023-44981] was
already requested in SPARK-45956 and a backport to Spark 3.X was rejected
([https://github.com/apache/spark/pull/43844#issuecomment-3468731350]).
Regarding [CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561], I'm
a bit confused whether it's a false positive or not. As far as I can see, Spark
3.5.7 already uses Apache Avro 1.11.4 and Spark 4.0.1 uses Avro 1.12.0. Could
you please confirm that you do not use an older Avro version in some
circumstances? Thanks a lot!
> Request to patch dependencies to fix critical CVEs
> --------------------------------------------------
>
> Key: SPARK-54715
> URL: https://issues.apache.org/jira/browse/SPARK-54715
> Project: Spark
> Issue Type: Dependency upgrade
> Components: Security
> Affects Versions: 4.0.1, 3.5.7
> Reporter: Andreas Thum
> Priority: Major
> Labels: security
>
> Our security scanner finds the following critical vulnerabilities in our
> spark container image.
> Is it possible for you to upgrade the dependencies to the fixed versions?
> Thank you!
>
> *Spark 4.0.1*
> ||Vulnerability||Severity||CVSS3||Package||Current Version||Fixed in version||
> |[CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561]|Critical|NVD:
> 9.8|org.apache.avro_avro|1.9.2|1.11.4|
> |[CVE-2025-12383|https://nvd.nist.gov/vuln/detail/CVE-2025-12383]|Critical|NVD:
> 9.4|org.glassfish.jersey.core_jersey-client|3.0.16| 4.0.0-m2, 3.1.10,
> 3.0.17,...|
> I've seen that there is already a PR to fix
> [CVE-2025-12383|https://github.com/advisories/GHSA-7p63-w6x9-6gr7]:
> [#53404|https://github.com/apache/spark/pull/53404] SPARK-54649[BUILD][3.5]
> Upgrade Jersey to 2.47
>
> *Spark 3.5.7*
> ||Vulnerability||Severity||CVSS3||Package||Current Version||Fixed in version||
> |[CVE-2023-44981|https://nvd.nist.gov/vuln/detail/CVE-2023-44981]|Critical|N/A|org.apache.zookeeper_zookeeper|3.6.3|3.9.1,
> 3.8.3, 3.7.2|
> |[CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561]|Critical|NVD:
> 9.8|org.apache.avro_avro|1.7.7|1.11.4|
> A fix for [CVE-2023-44981|https://nvd.nist.gov/vuln/detail/CVE-2023-44981]
> was already requested in SPARK-45956 and a backport to Spark 3.X was rejected
> ([https://github.com/apache/spark/pull/43844#issuecomment-3468731350]). I
> guess, the situation has not changed here?
> Regarding [CVE-2024-47561|https://nvd.nist.gov/vuln/detail/CVE-2024-47561],
> I'm a bit confused whether it's a false positive or not. As far as I can see,
> Spark 3.5.7 already uses Apache Avro 1.11.4 and Spark 4.0.1 uses Avro 1.12.0.
> Could you please confirm that you do not use an older Avro version in some
> circumstances? Thanks a lot!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
